当前位置:网站首页>Task section & task gate
Task section & task gate
2022-04-22 07:39:00 【Misaka10046】
TSS When the segment is used for permission switching , Replace the information of the original register .
TSS Structure of segment , altogether 104 Bytes , It stores the registers in the previous process , Stack and other information
Descriptor of task gate , It's also stored in IDT In the table . Among them Reserved All reserved bits , You don't need to build it yourself .
TSS Segment descriptor , Store in GDT In the table . among TYPE Position as 9(1001) When , Illustrate this TSS Not loaded into TR In the register . When TYPE Position as B(1011) When , Illustrate this TSS It's loaded into TR In the register .
TR register
Construction process
Look at the current TSS Segment descriptor in GDT Where in the table .
You can go to the address to observe the structure , Find all 0, Only esp and ss There is data stored in .
Construct a... In other locations TSS Segment descriptor
And then through !process 0 0 To get CR3( Page base address ) Fill in the value of , Then a successful handover is achieved
Code
#include "stdafx.h"
#include <WINDOWS.H>
typedef struct _KTSS
{
USHORT Backlink; //0x0
USHORT Reserved0; //0x2
ULONG Esp0; //0x4 preservation 0 Ring stack pointer
USHORT Ss0; //0x8 preservation 0 Ring stack segment selector
USHORT Reserved1; //0xa
ULONG NotUsed1[4]; //0xc
ULONG CR3; //0x1c
ULONG Eip; //0x20
ULONG EFlags; //0x24
ULONG Eax; //0x28
ULONG Ecx; //0x2c
ULONG Edx; //0x30
ULONG Ebx; //0x34
ULONG Esp; //0x38
ULONG Ebp; //0x3c
ULONG Esi; //0x40
ULONG Edi; //0x44
USHORT Es; //0x48
USHORT Reserved2; //0x4a
USHORT Cs; //0x4c
USHORT Reserved3; //0x4e
USHORT Ss; //0x50
USHORT Reserved4; //0x52
USHORT Ds; //0x54
USHORT Reserved5; //0x56
USHORT Fs; //0x58
USHORT Reserved6; //0x5a
USHORT Gs; //0x5c
USHORT Reserved7; //0x5e
USHORT LDT; //0x60
USHORT Reserved8; //0x62
USHORT Flags; //0x64
USHORT IoMapBase; //0x66
}KTSS,*PKTSS;
KTSS tss = {
0};
char esp[0x2000] = {
0};
char esp0[0x2000] = {
0};
char buf[] = {
0,0,0,0,0x48,0x00};
char RET[] = {
0,0,0,0,0x28,0x00};
__declspec(naked) void test()
{
__asm
{
int 3
iretd// Check whether there are nested tasks first EFL NT Of NT position , And find TSS Of Blink The replacement register returns If NT Position as 0 The stack lookup will return So it's best to put NT Location 1 Back again
}
}
int main()
{
printf("%x\r\n",(DWORD)&tss);
system("pause");
memset(esp,0,sizeof(esp));
memset(esp0,0,sizeof(esp0));
tss.Eax = 0;
tss.Ecx = 0;
tss.Edx = 0;
tss.Ebx = 0;
tss.Ebp = 0;
tss.Esi = 0;
tss.Edi = 0;
tss.Cs = 0x8;
tss.Ss = 0x10;
tss.Ds = 0x23;
tss.Es = 0x23;
tss.Fs = 0x30;
tss.Esp = (DWORD)esp + 0x2000 - 4;
tss.Esp0 = (DWORD)esp0 + 0x2000 - 4;
tss.Ss0 = 0x10;
tss.Eip = (DWORD)test;
DWORD dwCR3 = 0;
printf("CR3=");
scanf("%x",&dwCR3);
tss.CR3 = dwCR3;
__asm
{
call fword ptr buf// It's fine too JUMP In the past Again JUMP Come back JUMP Will the original TSS Idle and CALL Will not put the original TSS Idle
}
return 0;
}
It can also be through double mistakes , from IDT The table jumps to the task segment .
// door.cpp : Defines the entry point for the console application .
//
#include "stdafx.h"
#include <WINDOWS.H>
//0x20ac bytes (sizeof)
typedef struct _KTSS
{
USHORT Backlink; //0x0
USHORT Reserved0; //0x2
ULONG Esp0; //0x4
USHORT Ss0; //0x8
USHORT Reserved1; //0xa
ULONG NotUsed1[4]; //0xc
ULONG CR3; //0x1c
ULONG Eip; //0x20
ULONG EFlags; //0x24
ULONG Eax; //0x28
ULONG Ecx; //0x2c
ULONG Edx; //0x30
ULONG Ebx; //0x34
ULONG Esp; //0x38
ULONG Ebp; //0x3c
ULONG Esi; //0x40
ULONG Edi; //0x44
USHORT Es; //0x48
USHORT Reserved2; //0x4a
USHORT Cs; //0x4c
USHORT Reserved3; //0x4e
USHORT Ss; //0x50
USHORT Reserved4; //0x52
USHORT Ds; //0x54
USHORT Reserved5; //0x56
USHORT Fs; //0x58
USHORT Reserved6; //0x5a
USHORT Gs; //0x5c
USHORT Reserved7; //0x5e
USHORT LDT; //0x60
USHORT Reserved8; //0x62
USHORT Flags; //0x64
USHORT IoMapBase; //0x66
//struct _KiIoAccessMap IoMaps[1]; //0x68
//UCHAR IntDirectionMap[32]; //0x208c
}KTSS,*PKTSS;
KTSS tss = {
0};
char esp[0x2000] = {
0};
char esp0[0x2000] = {
0};
char buf[] = {
0,0,0,0,0x48,0x00};
char RET[] = {
0,0,0,0,0x28,0x00};
__declspec(naked) void test()
{
__asm
{
int 3
iretd
}
}
int main()
{
printf("%x\r\n",(DWORD)&test);
printf("%x\r\n",(DWORD)&tss);
system("pause");
memset(esp,0xcc,sizeof(esp));
memset(esp0,0xcc,sizeof(esp0));
tss.Eax = 0;
tss.Ecx = 0;
tss.Edx = 0;
tss.Ebx = 0;
tss.Ebp = 0;
tss.Esi = 0;
tss.Edi = 0;
tss.Cs = 0x8;
tss.Ss = 0x10;
tss.Ds = 0x23;
tss.Es = 0x23;
tss.Fs = 0x30;
tss.Esp = (DWORD)esp + 0x2000 - 4;
tss.Esp0 = (DWORD)esp0 + 0x2000 - 4;
tss.Ss0 = 0x10;
tss.Eip = (DWORD)test;
DWORD dwCR3 = 0;
printf("CR3=");
scanf("%x",&dwCR3);
tss.CR3 = dwCR3;
_asm{
int 0x20;
}
return 0;
}
modify IDT surface , After reporting an error, you can report an error again and transfer it to the task segment
modify GDT surface
Input CR3 Page base address of , To realize the right of withdrawal
TIPS
int 3 When disconnected , If you don't recover eflags register , It will jam .
Because when TSS When jumping , It will make the old TSS Save in New TSS Head ( Above we see ), When we use iretd return , It is not based on the return address like an interrupt , But according to TSS Segment selection sub find old TSS Segment memory , Then load all the registers inside .
and INT 3 It will be emptied VM、NT、IF、TF Four , among NT Represents a nested task segment (nested task), If empty , It considers that there is no task segment nesting , Just as usual , Return... According to the return address , An error will occur .
Therefore, there will be the following code to modify elfags In register NT position .
pushfd;
pop eax;
or eax,0x4000;
push eax;
popfd;
版权声明
本文为[Misaka10046]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/04/202204220617112186.html
边栏推荐
- 1420 · minimum coverage substring II
- 调用门
- Longest ascending sequence
- Detailed bubble sequence and array name
- Could not resolve com.nbsp:library:1.8如何解决
- 信息安全数学基础
- 437. Path sum III
- Leetcode - 8 - (sum of three numbers, zigzag transformation, sum of two numbers < linked list >, container with the most water, letter combination of telephone number)
- Redis的设计与实现(1):了解数据结构与对象
- FFmpeg命令(八)、 视频添加水印
猜你喜欢
A. Alice and Bob (博弈?思维&暴力)(2021牛客暑期多校训练营1)
Linked list problem record I
SUCTF 2019 EasySQL
101012分页
Explanation and use of interface
B.Cutting Corners (简单几何/签到)(2021年度训练联盟热身训练赛第五场)
D. Determine the photo position (simply find the substring) (2021 Niuke summer multi school training camp 1)
278 · draw fill
Leetcode - 1 - (substructure, combination, spiral matrix and full arrangement of tree < Ⅰ Ⅲ >)
爬虫学习之2---requests模块--get请求方式
随机推荐
2019.1.2版的Idea使用教程
Android Room数据库Like模糊查询
The art of concurrent programming (11): introduction to tool classes in JUC
332 · recovery array
Pointer structure const summary
HDU Ice_cream‘s world I (并查集判环)
Call gate
JS基础语法
The art of concurrent programming (9): the use and principle of final
FFmpeg命令(七)、 音频与视频合并成视频
Installation and configuration of Yapi (Reprint)
The way to learn the strongest operator (detailed explanation of C language)
1242 · non overlapping interval
189. Rotation array
Yapi的安装与配置(转载)
H.Happy Number (进制转换/第n个特殊数)(2021牛客暑期多校训练营9 )
1. Jam packed (Game 5 of 2021 training League warm-up training competition)
A. Alice and Bob (博弈?思维&暴力)(2021牛客暑期多校训练营1)
843 · Digital Flip
X64基础(一)